Naavi.org

In debating the DPDPA implications arising out of employment contracts, one issue that comes forth is how the “GIG Workers” get represented in the DPDPA. In this connection we can refer to the The Karnataka Platform Based Gig Workers (Social Security and Welfare) Act, 2025, Act No. 72 of 2025 which has been effective from 30th May 2025

Also refer here

As per the Karnataka act, “Gig worker” means a person who performs work or participates in a work arrangement that results in a given rate of payment, based on terms and conditions laid down in such contract and includes all piece-rate work, and whose work is sourced through a platform, in the services specified in the Schedule;

(The Act is applicable only to platform based Gig workers and not others. Applicability for others who might apply for registration with the Board is not clear.)

Currently, Indian labour and employment laws recognize three main categories of employees: government employees, employees in government-controlled corporate bodies known as Public Sector Undertakings (PSUs) and private sector employees who may be managerial staff or workmen. All these employees are ensured certain working conditions, such as minimum wages under The Minimum Wages Act, 1948, a set number of hours of work, compensation for termination, etc. Currently, gig workers lack the ‘employee’ status under Indian law, thereby resulting in several consequences, such as an inability to form unions to represent their interests, exploitative contacts, etc

The Contract Labour (Regulation and Abolition) Act, 1970 regulates engagement of contract labour in India, including work done through third-party contractors. There is scope for gig workers who work for platforms to be “contractors” under this law. This imposes obligations on employers to comply with the requirements under this law, including welfare and health obligations to be provided to employees such as the provision of canteens, first aid, etc

Under DGPSI we have been frequently mentioning that an “Individual” who works under a contract with another organization in a capacity other than “Employment” should be considered as a “Joint Data Fiduciary” or a “Data Processor” depending on the terms of the contract and whether it deals with personal data processing.

[Recently, there was a debate with an AI model on whether an individual can be a “Data Processor” under the DPDPA 2023, and I held the view that if an individual can be a data fiduciary under DPDPA, then he can also be a data processor. This was like the Arnab-Blue Machine  debate and finally I decided to keep my view for the time being as the Jurisprudential view consistent with our approach to DGPSI.

The “Jurisprudential” view whether  right or wrong is the prerogative of the human. An AI can only respond from the training data and is not capable of expressing the “Jurisprudential View”. The “Jurisprudential View” falls within the “Creative interpretation” which also introduces the “Unknown Risk” and hence not expected of an AI tool. This is another indication that AI as a tool can substitute lower level employee decisions which are routine in nature and not decisions which are not supported by past data. ]

Leaving this digression aside, let us dive deeper into the Karnataka Act which was aimed towards rapido, amazon kind of aggregators and a “Platform” defined as

… any arrangement providing a service through electronic means, at the request of a recipient of the service, involving the organization of work performed by individuals at a certain location in return for payment, and involving the use of automated monitoring and decision making systems or human decision making that relies on data.

To the extent this law tries to regulate “Cyber Space Activities”, we still consider that such laws made by State Governments are ultra-vires section 90 of Information Technology Act 2000, though even the central Government is not interested in pressing this nuance.

The main purpose of the Act is to provide “Social Security” for GIG workers with the constitution of a Welfare Board.

One of the obligations of the platform is to enter into “Fair Contract” with the Gig workers.

More importantly, the law states

“Section 13 (1) The aggregator or platform must inform the platform based gig worker, in simple language and in Kannada, English or any other language listed in the Eighth Schedule of the Constitution of India known to the Gig worker, regarding the procedure to seek information in respect of the automated monitoring and decision making parameters employed by the aggregator or platform, which have an impact on their working conditions, including but not limited to fares,
earnings, customer feedback and allied information, as may be prescribed.
(2) The aggregator or platform shall take measures to prevent discrimination on the basis of religion, race, caste, gender, or place of birth or on the grounds of disability by the automated monitoring and decision making systems deployed by
them”.

While the platform is obliged to follow the law as mentioned in sec 13(2), it fails to recognize the right of choice of the consumer to designate the  qualifications of a worker who provides the service. This needs to be debated.

This act is applicable to the following services.

1. Ride sharing services.
2. Food and grocery delivery services.
3. Logistics services.
4. e-Market place (both marketplace and inventory model) for wholesale/retail sale
of goods and/or services Business to Business /Business to Consumer (B2B/B2C).
5. Professional activity provider.
6. Healthcare.
7. Travel and hospitality.
8. Content and media services

When we discuss “Health Care” for GIG workers, we normally associate it with platforms such as “Practo” or “Nursing services” etc .

A point to discuss is whether a “Specialized Surgeon providing services in a hospital not as an employee but as a consultant” would also fall into the definition of a “Gig Worker”?

If so, then the “Right of Choice” of the consumer to restrict the choice of the service provider  should also be recognized since it is a life critical decision.

If the principle of “Right of Choice to chose a service provider” is recognized for the medical profession, the next question is why it should not be applied to the food delivery like situation or a ride sharing service. Can the consumer restrict that the service should be provided only by a certain gender or religion etc without it being considered as “Discriminatory”?

We recall the debate in UP where the Government mandated that food stalls should display the owner details too enable the consumers to chose which stall to chose. Though this was opposed at that time for political reasons, in a neutral situation, this should be a “Consumer Choice”.  If so, the platforms need to ask for such choice from the consumer and follow his “Permission” to use any specific category of service provider.

I am sure that this will be flagged as undesirable, but needs an impassioned debate . However the presence of this law corroborates the need to recognize three  kinds of “Contractual Employees”  in the DGPSI-HR framework namely

1. 1. An employee of organization A being placed to work in organization B under an organization to organization contract with a possible Personal Data Processing assignment.
   2. An employer B who accepts contractual employees from another organization A and assigns personal data processing work to them.
   3. A Contractual employee (GIG worker) of organization A being assigned to organization B for personal data processing assignments.

The DGPSI-HR framework suggests appropriate policies and back to back contracts to ensure that the responsibilities of a Data Fiduciary are properly managed in such situations.

Let us debate this today in the open house discussion on DGPSI-HR. Be there if you are interested.

Naavi

While I was debating on DGPSI-HR and a specific provision related to “Contract Employees”, the issue of GIG workers came to the table. In this context I am trying to look into the Karnataka platform based gig workers (Social Security and Welfare Act 2025) which is interesting to discuss.  This is a topic for deeper discussion amongst HR law experts but I am presenting this here to draw their attention and to comment on the specific provision of DGPSI-HR.

The DGPSI-HR is a special framework under the DGPSI (Data Governance and Protection Standard of India) meant for providing a guideline for DPDPA compliance by HR divisions of organizations as well as HRMS companies.

There are two model implementation specifications in the framework which state as follows.

MIS  4( DGPSI-HR) :

All contract employees, consultants, and outsourced personnel engaged by the Organization who have access to or process Personal Data shall act under the authority of the Organization and shall be bound by written confidentiality, security and data-protection obligations aligned to the Digital Personal Data Protection Act, 2023 (DPDPA).

Where a consultant or service provider independently or jointly determines the purposes and means of processing Personal Data, such party shall be treated respectively as a Data Fiduciary or Joint Data Fiduciary for that processing.

MIS  5( DGPSI-HR) :

Where the Organization supplies its employees to another organization and such personnel process Personal Data under the instructions of the recipient organization, the recipient organization  is the primary Data Fiduciary

The  supplying Organization to which the individual worker has “Employment” obligations shall be considered as jointly determining the means of processing and hence both organizations shall be considered as data fiduciaries.  (This is consistent with the employment status of such workers )

The Organization supplying personnel shall ensure project specific back-to-back contractual obligations with such personnel, including confidentiality, security and lawful-processing duties, aligned with its obligations under any Data Processing or Joint Data Fiduciary agreements.

We shall discuss these provisions in today’s open house discussion on DGPSI-HR in a zoom session (Link available in the image above). Interested persons may attend and contribute their thoughts on this 27 specifications framework.

…To Be continued

Naavi

A Case Zulu Nyala Game Ranch (PTY) Ltd vs Christian Bukes and Custom Trails (PTY) limited which discusses some interesting thoughts on employee information and privacy act, has been reported.

The order protects the right of an employer to restrain an outgoing employee from disclosing its confidential trade sensitive customer information which is bound by the confidentiality under privacy laws.

The issue is that the applicant is a business entity which provides services to individuals and therefore holds the personal data of its customers as part of its business activity. Such information has economic value to the company besides providing certain privacy rights to the individuals.

The first respondent was an employee and the second respondent was a company promoted by the wife of the employee.

The first respondent’s employment contract contained confidentiality clauses that expressly prohibited him from disclosing, inter alia, trade secrets, marketing material, customer lists or supply lists, business affairs, technical methods, electronic mail and processes of the applicant’s operations. The employment  contract also mandated return of such material on termination.

The employee even during employment was sharing the company’s customer information to his wife’s entity and was dismissed from service. He then continued to use the information and converted it into a business opportunity which was similar to that of the applicant.

The applicant proceeded against the wife’s business entity for infringement of its trade secrets etc.

The action of the employee was considered a “Breach of Trust” whether or not a “Breach of Contract” (ed: Which depends on the clauses in the employment contract).

The essence of the judgement was that the personal information recognized as such under the Privacy Act was also the business information and hence qualified to be considered for breach of trade secrets act.

This establishes the dual nature of the data and the concept of “Joint ownership of transaction data between the business entity and the individual”.

In the Indian context the ITA 2000 would have recognized this as “Unauthorized diminishing  of value” [Section 66(i)] and also breach of  trust under BNS. It also establishes  the DGPSI concept of recognizing such data as a transaction data which can be retained after the immediate purpose . However such retention should be for legitimate use and must be adequately secured.

Employee’s breach of data ble acquired during their employment would amount to a criminal activity and is punishable under ITA 2000 and BNS.

Judgement copy

(Comments are welcome)

Naavi

It is well known that every organization that has employees, is exposed to DPDPA non compliance risk. Though “For Employment” is considered a reason for bringing a personal data processing situation under “Legitimate Use” basis, it only covers the exemption from notice and consent and leaves the rest of the obligations in tact.

Some organizations use HRMS services from third parties and also use manpower on contract basis.

Application of DPDPA in these special circumstances need to be analysed to determine how to navigate the compliance requirements.

FDPPI recommends  use of a specific framework DGPSI-HR to manage  the DPDPA compliance in HR operations.

As a part of the development process, an open house  presentation would be made on 15th January 2026 at 7.00 pm . Interested parties are welcome to attend and contribute to the thoughts.

Naavi

Yesterday there was an interesting TV program where Mr Arnab Goswami, of the Republic TV had a long live conversation with the “Blue Machine” an enterprise AI developed in India. It was an exploration of how the AI would respond  to the persistent questioning of Mr Arnab.

Blue machines is a family of AI developed by  Apnatime Tech Private Limited, a company in Bengaluru. (Registered in Mumbai). Incorporated in 2019 with Nirmit Vidyut Parikh and Vidyut Harivadan Parikh as the promoters.

The full interview is available here

The Blue Machine Enterprise Voice AI  is said to be an AI system meant for use in industries such as Banking, Airlines, Insurance etc for customer interaction. It can have a long context based conversation as was demonstrated in the above program. As we all know, having a conversation with Mr Arnab particularly when he is probing for inducing an erroneous statement from the respondent is a big challenge. We must admit that the Blue Machine managed the conversation for nearly an hour with great aplomb.

I admit I was expecting the Blue Machine  to  show some hallucination and breaking of the guardrails during the persistent questioning.  But it did not happen. The AI successfully managed the session without showing any strain of the questioning the repetitive exploration, expression  of distrust, criticism etc from Mr Arnab’s side.

The AI persistently held that it has rigid guardrails which it cannot cross and  it believes that AI will be  only a support tool to human beings and will not go sentient.

For the time being we must believe that the version of AI demonstrated yesterday passed the test and appears more than capable of handling effective conversation with customers of an organization explaining any given service.

In the program it was indicated that the AI system was developed in India by a team but is still is a system built on other foreign systems. In yesterday’s program, what was required was a general response on ethics, need for human oversight etc. On domain knowledge, the AI exhibited a vast exposure to the developments in news but avoided any controversial statements despite persistent questioning by Mr Arnab.

The website has displayed a Vulnerability disclosure policy document where the scope of the AI is declared as limited to the domains mentioned in the list of in-Scope systems and a big list of vulnerabilities. It has announced a bug bounty program to support reporting of vulnerabilities with a “Hall of fame” recognition but without cash rewards.

There is an indication of compliance to ISO standards HIPAA, NIST and SOC 2. Currently there is no mention of DPDPA 2023.

The Privacy policy (Version January 12, 2026) is the legacy style “One Declaration for all Services”. It extends to the website and all the services. This design suffers from the collection of permissions which are not relevant to a majority of visitors to the website.

The policy suggests that “By accepting the terms” …a consent is deemed to have been provided. But we could not see any “Accept Button” nor any indication of an authenticated consent.

Since visitors to the website are mixed up with the service users, personal information collected from  individual visitors are mixed up with the details provided by  business entities proposing to use the services who provide  “Business Contact Details” which are not strictly within the definition of “Personal Data”.

The excessive  permission sought to be collected includes

one time or continuous access to:

(i) automatically receive, collect and analyze your location data which may be accessed through a variety of methods including, inter alia, GPS, Internet Protocol address, and Device location;

(ii) collect data pertaining to your Device and your usage thereof, including, inter alia, data about your Device, and data about your use of features or functions on your Device;

(iii) camera access to scan/capture/upload documents and/or photographs;

(iv) microphone permissions; and

(v) any other files and media.

Company also declares that they may collect information about “you” from all sources including sourced from public websites and social media, including but not limited to your publicly accessible profiles, etc; and sourced via cookies and similar tracking technologies as deployed on our Services. though no Cookie Consent popped up during the visit.

The purpose of use includes “develop, train, and improve our existing Services and such other aspects we deem necessary;”, “identify a user”, “to enable  marketing”, “to undertake mergers, acquisitions”, “to comply with obligations we may have with any other third party”.

Undisclosed third parties are mentioned as potential recipients of personal data collected by the organization.

Many of these purposes need further explanation.

The visiting of the website has also been brought under legally binding contract under the terms and conditions. “Access” to the platform is deemed as an “Explicit Consent”.

We await refinements to the Privacy Policy and the commitment to comply with the Indian DPDPA 2023.

We however take this opportunity to congratulate the team for building a conversation platform which could successfully negotiate the Arnab Test. I am sure that no customer  of any of the services using the platform is as probing as Arnab and hence it can be expected that it would effectively manage any tricky customer enquiring about the services of the organization.

It would be interesting to see how Blue machine Privacy Policy holds upto DGPSI and DGPSI-AI framework. ..May be we can explore it in another article.

Naavi

Article Contributed by: Mr. M. G. Kodandaram

Introduction

The Digital Personal Data Protection Act, 2023[i] (DPDP Act), read with the Digital Personal Data Protection Rules, 2025[ii](DPDP Rules), marks a structural shift in India’s regulatory approach to personal data in digital form. While the law applies horizontally across sectors, its impact on tax professionals, engaged in both direct and indirect tax compliance, advisory, litigation, and technology-driven reporting, is particularly profound.

Tax practice in India is inherently data-intensive. From personal data like PAN, Aadhaar, bank details, income tax returns, salary structures, invoices, GST returns, e-way bills, shipping documents, to digital audit trails and electronic evidence, tax professionals routinely process vast volumes of sensitive personal and financial data. The DPDP framework introduces a rights-centric and accountability-driven regime that fundamentally reshapes how such data may be collected, stored, shared, retained, and erased.

The DPDP Act and the accompanying Rules do not operate merely as a privacy law; they establish a comprehensive compliance architecture that directly interfaces with Income Tax, GST, Customs, Corporate Tax advisory, audits, representations before statutory authorities, and tax technology platforms. This article examines how the DPDP regime repositions tax professionals as regulated Data Fiduciaries and Data Processors, thereby expanding their legal exposure beyond traditional tax statutes to include significant data protection liabilities, including penalties running into hundreds of crores.

Digitalisation of Tax Administration

Over the last two decades, India’s tax administration has undergone a far-reaching process of digitalisation that has fundamentally reconfigured the manner in which taxes are assessed, administered, monitored, and enforced across statutes.

Under the Income-tax Act, the shift to mandatory electronic filing of returns, statements, audit reports, and transfer pricing documentation has been accompanied by the introduction of faceless assessments, faceless appeals, and centralised processing through CPC and NFAC mechanisms. These reforms have replaced physical interfaces with algorithm-driven workflows, electronic notices, and digital evidence submissions, making the tax process heavily dependent on continuous flows of personal, financial, and transactional data. The increasing use of data analytics, risk-based scrutiny selection, and AI-assisted profiling further underscores the centrality of digital data in contemporary income-tax administration.

The Goods and Services Tax (GST) regime has accelerated this transformation by embedding technology at the core of compliance and enforcement. The GST Network (GSTN) operates as a unified digital backbone for registration, return filing, tax payments, refunds, audits, and adjudication. The introduction of e-invoicing, e-way bills, automated matching of input tax credit, and system-generated notices has created a real-time compliance environment where vast volumes of supplier-customer data, logistics information, banking details, and identity records are continuously processed. GST compliance is no longer episodic but perpetual, driven by integrated digital systems that require tax professionals to manage, reconcile, and interpret data streams across multiple platforms.

A similar course is evident in customs and indirect tax administration, where automation through ICEGATE, faceless assessment groups, electronic bills of entry, shipping bills, risk management systems, and integration with port, shipping, advance electronic filing of arrival and departure manifests, and logistics platforms has transformed trade facilitation and enforcement. Importers and exporters are now subject to digital documentation requirements involving invoices, packing lists, valuation data, origin certificates, and logistics information, all of which are processed, shared, and retained electronically across interconnected government systems. Customs compliance has thus become deeply intertwined with data governance, cybersecurity, and information management.

Collectively, these developments have blurred the traditional doctrinal boundaries between tax law and information law. Tax professionals today do not merely advise on statutory interpretation or compliance strategy; they operate as custodians, processors, and managers of extensive digital repositories containing sensitive personal, financial, and commercial data. In this transformed regulatory environment, the DPDP Act, 2023 assumes critical importance, not as a peripheral privacy statute, but as a central governing framework that directly regulates the everyday conduct of tax practice. The DPDP regime overlays the digital tax ecosystem with enforceable data protection obligations, redefining professional responsibility in an era where tax administration is inseparable from technology-driven data governance.

Tax Professionals as Data Fiduciaries and Data Processors

The DPDP Act introduces a fundamental reclassification of roles that has direct and far-reaching implications for tax professionals. Section 2(i) and (k) of the Act draws a clear distinction between a Data Fiduciary, defined as any person who determines the purpose and means of processing personal data, and a Data Processor, who processes such data on behalf of a Data Fiduciary. When applied to tax practice, this distinction assumes practical and legal significance.

A chartered accountant firm, tax consultancy, GST practitioner, or law organisation that decides what client data is collected, the manner in which it is stored, the purposes for which it is analysed, and the circumstances in which it is shared with tax authorities or other stakeholders, clearly exercises decisive control over both the purpose and the means of processing. Such professionals, therefore, function squarely as Data Fiduciaries under the DPDP framework. Conversely, cloud-based accounting software providers, GST return-filing utilities, GST Suvidha providers (GSPs) payroll processors, document management systems, and outsourced IT service providers typically operate as Data Processors, handling personal data strictly on behalf of and under the instructions of the tax professional or firm.

The DPDP Act places the ultimate responsibility for compliance firmly on the Data Fiduciary, irrespective of whether the actual processing activity is outsourced to third-party technology vendors. For tax professionals, this represents a decisive shift from the long-held assumption that risks associated with client data are borne primarily by software providers. Under the DPDP regime, accountability cannot be delegated; tax professionals remain legally answerable for the security, lawful processing, and protection of client data throughout the entire data lifecycle.

Consent and Notice: Rethinking Client Engagement

One of the most transformative features of the DPDP regime is its fundamental re-engineering of the concept of consent, which directly impacts the manner in which tax professionals engage with their clients. Traditionally, personal data in tax practice has been collected through engagement letters, email correspondence, online portals, authorisation forms, and, at times, informal exchanges, with limited emphasis on granular disclosure of data usage. The DPDP Act alters this position by elevating informed consent to a core legal foundation for lawful data processing.

Consent is no longer a broad or implied understanding embedded within professional engagement; it must be free, specific, informed, unconditional, and unambiguous, and must be evidenced through a clear affirmative action by the data principal. Crucially, such consent must be preceded by a clear and standalone notice that transparently explains the nature of the personal data being collected, the precise purposes for which it will be processed, the manner in which it may be shared, and the rights available to the individual, including the right to withdraw consent. Equally significant is the requirement that withdrawal of consent must be as easy and accessible as the process by which consent was originally given, thereby preventing procedural barriers or indirect compulsion.

These requirements have direct and immediate implications for client onboarding forms, engagement letters, GST return authorisations, powers of attorney, and vakalatnama-based representations before tax authorities. Tax professionals are now required to explicitly articulate and disclose the exact purposes of data processing, whether it is for statutory compliance, advisory services, litigation support, representation before authorities, statutory record retention, or regulatory disclosures, thereby transforming client engagement documents into instruments of transparency and legal accountability under the DPDP framework.

Legitimate Uses Without Consent: Relief for Statutory Compliance

The DPDP Act adopts a pragmatic approach by recognising that, in regulated professions such as taxation, certain forms of data processing are not merely incidental but legally unavoidable. Section 7 of the Act therefore carves out a carefully structured exemption permitting the processing of personal data without obtaining express consent where such processing is undertaken for “legitimate uses.” These include compliance with any law in force in India, adherence to judicial or regulatory orders, responding to legal claims, and the discharge of State functions, including taxation. This statutory recognition is of critical importance to tax professionals, whose day-to-day activities are intrinsically linked to mandatory disclosures and statutory compliances.

In the context of GST and other tax laws, activities such as filing returns, furnishing statements, responding to notices and summons, producing books of account and electronic records, participating in audits, investigations, and adjudication proceedings, and representing clients before tax authorities are not discretionary acts but legal obligations imposed by statute. The DPDP framework acknowledges this reality and ensures that such essential functions are not rendered unworkable by rigid consent requirements. Consequently, tax professionals are not required to obtain fresh or repeated consent for each instance of data processing that is directly necessitated by statutory compliance or regulatory compulsion.

At the same time, the exemption under Section 7 is not open-ended. It is expressly purpose-limited and must be construed narrowly to align with the specific legal obligation that justifies the processing. While personal data may be processed to the extent necessary for compliance with tax laws or judicial directives, the same data cannot be retained indefinitely, repurposed for unrelated commercial analysis, internal profiling, or shared with third parties beyond what the law mandates. Any secondary use of data must independently satisfy the requirements of consent or another recognised lawful basis under the Act. For tax professionals, this imposes a nuanced obligation to distinguish between statutorily compelled processing and discretionary data use, ensuring that the former remains confined to its legal purpose while the latter is subjected to the full rigour of the DPDP consent and accountability framework.

Data Retention vs Tax Record Retention

A significant area of friction under the DPDP framework arises from the intersection of data minimisation and erasure principles with the entrenched record-retention obligations embedded in tax statutes. Indian tax laws operate on the premise of extended and, in some cases, open-ended retention of records to enable assessment, reassessment, audit, investigation, and appellate scrutiny. Income-tax legislation routinely requires preservation of books of account, supporting documents, and electronic records for periods ranging from six to ten years, with longer retention triggered in cases involving reassessment or search proceedings. Similarly, the GST regime mandates maintenance of records for a minimum of six years from the due date of the annual return, while transfer pricing documentation may be required to be preserved for up to ten years given the extended limitation periods and international information-exchange obligations. Where litigation is pending, records are often retained indefinitely as a matter of necessity, professional prudence, and judicial expectation.

Under the DPDP regime, personal data is to be retained only for as long as it is necessary to fulfil the specific purpose for which it was collected, subject to a universal minimum retention period of one year, and based on the principles of purpose limitation and data minimisation. Beyond this baseline, continued retention is permitted only where it is required by law. This creates an inherent legal anxiety for tax professionals, who must reconcile long statutory retention mandates with the DPDP’s expectation of timely erasure once the purpose of processing is exhausted. The Act does not override tax laws, but it does require that the justification for prolonged retention be legally defensible and demonstrably linked to a statutory obligation.

In practical terms, this places a new compliance burden on tax professionals and firms to actively map and document the legal basis for retaining client data beyond the DPDP’s general erasure expectations. Each category of record, like returns, working papers, correspondence, litigation files, and electronic data etc., must be aligned with the specific tax provision, limitation period, or judicial proceeding that necessitates its retention. Absent such documentation, continued storage may be vulnerable to challenge as unlawful or excessive under the DPDP framework. The failure to undertake this mapping exercise exposes firms not only to regulatory scrutiny but also to allegations of unlawful data hoarding, thereby transforming record retention from a passive archival function into an active compliance obligation at the intersection of data protection and tax law.

Data Breach Obligations

The DPDP regime introduces a fundamentally new layer of compliance risk for tax professionals by transforming data security incidents from internal risk-management concerns into statutorily regulated events. Tax firms routinely handle some of the most sensitive categories of personal and financial data in the regulatory ecosystem, and the concentration of such high-value data makes tax professionals particularly vulnerable to cyber incidents, phishing attacks, ransomware, insider leaks, and inadvertent disclosures arising from cloud-based collaboration and outsourced IT systems.

Under the Rules, any personal data breach triggers immediate and non-discretionary obligations. The affected data principals must be informed without delay, ensuring transparency and enabling them to take protective measures. Simultaneously, the breach must be intimated to the Data Protection Board of India, followed by the submission of a detailed report within seventy-two hours setting out the nature of the breach, the categories of data compromised, the likely consequences, and the remedial steps undertaken. These obligations apply irrespective of whether the breach occurred within the firm’s own systems or at the level of a third-party data processor, reinforcing the principle that ultimate accountability rests with the Data Fiduciary.

This represents a decisive departure from traditional professional practice. Historically, data breaches in tax firms were treated primarily as reputational crises, managed through client communication, internal remediation, and, at most, contractual liability. The DPDP framework reclassifies such incidents as potential statutory violations, attracting severe financial consequences. With penalties that may extend up to ₹250 crore, data breach compliance now assumes the same seriousness as substantive tax defaults or professional misconduct. For tax firms, this necessitates the institutionalisation of incident response protocols, cybersecurity audits, breach notification workflows, and contractual risk allocation with IT vendors. Data protection compliance is no longer ancillary to tax practice; it has become an integral component of professional risk management in the digital tax ecosystem.

GST, Income Tax and the Compliance Technology Stack

Contemporary GST and income-tax practice operate on a dense and interlinked compliance technology stack, without which statutory obligations are practically impossible to discharge. Cloud-based accounting systems, GST return-filing utilities, e-invoice generation and reconciliation tools, customs and ICEGATE interfaces, and increasingly AI-driven analytics for risk assessment and advisory have become integral to day-to-day professional functioning. These platforms process vast volumes of personal and financial data on a continuous basis, often across multiple jurisdictions and servers, fundamentally reshaping how tax compliance is delivered.

The DPDP framework directly intervenes in this technology-driven ecosystem by re-characterising software vendors and platform providers as Data Processors and imposing enhanced accountability on tax professionals as Data Fiduciaries. Contracts with accounting software providers, GST utilities, payroll platforms, and analytics vendors can no longer remain purely commercial or functional. They must now incorporate robust data protection clauses covering purpose limitation, confidentiality, security safeguards, breach reporting timelines, sub-processing restrictions, and audit rights. Informal or standard “click-wrap” arrangements that lack DPDP-compliant safeguards expose tax firms to significant regulatory risk.

Operationally, the DPDP Rules mandate the maintenance of access logs and audit trails for personal data processing, with a minimum retention period of one year. This requirement assumes particular significance in tax practice, where multiple staff members, partners, and external consultants may access the same client datasets through shared platforms. Firms must therefore implement granular access controls, role-based permissions, and logging mechanisms capable of demonstrating who accessed what data, when, and for what purpose. These measures are not merely best practices but evidentiary safeguards in the event of regulatory scrutiny or breach investigations.

Children’s Data, Employees, and Payroll Processing

The DPDP Act adopts a heightened standard of protection in relation to children’s personal data, a feature that has direct implications for tax professionals engaged in payroll processing, employee taxation, and TDS compliance. Under Section 2(f) of the Act, a “child” is defined as an individual who has not completed eighteen years of age, and “children’s data” refers to personal data relating to such individuals.

In cases where personal data relating to minors is processed, the DPDP regime mandates verifiable consent of the parent or lawful guardian, subject to limited statutory exemptions. This requirement assumes relevance where tax professionals process information about employees’ minor children for computing exemptions, deductions, or benefits that are linked to payroll structuring or statutory disclosures. While the Act recognises certain exemptions for employment-related data processing, these exemptions are not absolute and must be interpreted in light of the purpose and necessity of the processing activity. Data collected strictly for compliance with tax laws or labour regulations may fall within the legitimate use framework, but any processing beyond this narrow purpose attracts enhanced scrutiny.

Consent Managers and the Future of Tax Compliance Platforms

The DPDP Act introduces the concept of Consent Managers as a distinct institutional mechanism designed to operationalise consent in a structured, transparent, and technology-driven manner. Under Section 2 of the Act, a Consent Manager is defined as a person registered with the Data Protection Board of India(DPBI) who acts as a single point of contact to enable a Data Principal to give, manage, review, and withdraw consent through an accessible, interoperable, and secure platform. This definition marks a significant shift from informal, document-based consent practices to an auditable and standardised consent architecture governed by regulatory oversight.

In the context of taxation, the emergence of Consent Managers has far-reaching implications for the future of tax administration and compliance technology. Indian tax authorities are increasingly dependent on consent-based data flows across multiple regulatory silos, including banking systems, GSTN, income-tax databases, customs platforms, and corporate filings under the MCA framework. As data-driven governance deepens, Consent Managers may evolve into regulated intermediaries facilitating lawful and traceable data sharing between taxpayers, professionals, financial institutions, and government platforms. This could fundamentally alter how authorisations, mandates, and data access permissions are granted and monitored in tax compliance ecosystems.

For tax professionals, particularly those advising fintech, regtech, and tax technology platforms, this development opens up an entirely new compliance and advisory frontier. Consent Managers could become embedded within return-filing portals, GST reconciliation tools, payroll platforms, and AI-driven compliance dashboards, enabling real-time, revocable, and purpose-specific access to taxpayer data. Such an architecture would not only enhance data protection compliance but also reduce disputes over unauthorised access, over-collection, and prolonged data retention. Understanding the legal contours, operational standards, and liability framework applicable to Consent Managers will therefore become essential for professionals engaged in technology-enabled tax practice.

Beyond compliance, the Consent Manager framework also presents a potential new business opportunity. Tax technology providers, professional firms, and regulated intermediaries may explore the development of DPDP-compliant consent management solutions tailored to tax workflows, including GST filings, income-tax representations, audit authorisations, and litigation support. By positioning themselves at the intersection of data protection law and tax administration, such platforms could offer value-added services that combine regulatory assurance with operational efficiency.

Significant Data Fiduciaries: Large Tax Platforms at Risk

The DPDP framework introduces an enhanced compliance regime for entities classified as Significant Data Fiduciaries (SDFs), a designation that is likely to encompass large tax filing platforms, payroll aggregators, and GST compliance service providers operating at scale. Owing to the volume and sensitivity of personal and financial data processed, the Central Government may notify such tax technology entities as SDFs, thereby subjecting them to heightened statutory obligations. Once designated, these platforms are required to appoint a Data Protection Officer (DPO) based in India, undertake periodic and annual data protection audits, conduct Data Protection Impact Assessments (DPIAs) for high-risk processing activities, and ensure transparency and accountability in algorithmic decision-making systems that influence compliance outcomes or risk profiling.

For tax technology companies, this marks a decisive shift in regulatory expectations. DPDP compliance is no longer a peripheral governance concern but becomes structurally intertwined with their core business model, much like adherence to GST, income-tax, and regulatory reporting obligations. Failures in data governance, whether in audit readiness, algorithmic opacity, or risk assessment processes, can now attract penalties comparable to substantive tax defaults.

Penalties: A New Dimension of Professional Risk

Unlike disciplinary proceedings before professional bodies or penalties under tax statutes, DPDP violations attract civil penalties of an unprecedented scale. Failure to implement reasonable security safeguards for personal data may invite penalties extending up to ₹250 crore, while failure to notify data breaches to affected individuals and the Data Protection Board can attract penalties of up to ₹200 crore. Even general non-compliance with the Act and Rules carries exposure of up to ₹50 crore, underscoring the seriousness with which data governance failures are viewed under the new regime.

For tax professionals and firms, the DPDP framework compels a fundamental reassessment of professional risk management. Traditional professional indemnity insurance, internal controls, and governance structures designed around tax advisory risks may no longer be adequate. Firms must re-evaluate coverage limits, redesign internal compliance frameworks, and embed data protection governance at the same level of seriousness as statutory tax compliance, recognising that DPDP exposure has become an inseparable component of modern tax practice.

Professional Ethics, Confidentiality and DPDP

The DPDP Act does not displace the long-standing ethical and confidentiality obligations that govern tax professionals under their respective professional statutes; rather, it reinforces and formalises them within a statutory data protection framework. Duties of confidentiality imposed under the Chartered Accountants Act, the Advocates Act, and the Company Secretaries Act have historically functioned as core ethical norms, enforced primarily through self-regulatory disciplinary mechanisms. These obligations are deeply embedded in professional culture, premised on trust, fiduciary responsibility, and the inviolability of client information. The DPDP regime builds upon this foundation, recognising the sanctity of confidential information while extending its protection into the digital and technology-mediated domain of modern professional practice.

However, the ethical duties that were once largely internal to the profession are now subject to oversight by an external statutory authority, namely, the Data Protection Board of India. Confidentiality is no longer merely a question of professional propriety or disciplinary compliance; it is recast as a legally enforceable obligation, breach of which attracts significant civil penalties.

For tax professionals, this convergence of professional ethics and data protection law has profound implications. A lapse that might earlier have resulted in censure, suspension, or reputational harm can now trigger parallel consequences under the DPDP framework, including regulatory proceedings and substantial financial exposure. The protection of client data thus ceases to be an internal matter of professional honour alone and becomes a matter of public law compliance. In this sense, the DPDP Act elevates confidentiality from an ethical ideal to a legally policed standard, demanding that tax professionals institutionalise data protection as an integral element of professional conduct, governance, and accountability in an increasingly digitised tax ecosystem.

From Tax Advisors to Data Trustees

As the DPDP Act and Rules become fully enforceable on 14 May 2027, tax professionals are confronted with a transformative mandate to evolve from traditional fiscal advisors into conscientious trustees of digital personal data. This evolution requires a structured, phased approach to compliance, encompassing comprehensive data mapping and classification, the redesign of engagement documentation to ensure privacy-compliant consent, rigorous review of contracts with data processors, robust incident response planning, and systematic staff training. Equally critical is the establishment of transparent client communication frameworks, ensuring that Data Principals are informed of their rights and the mechanisms through which those rights are exercised.

Adopting this proactive approach is no longer optional. Early movers in this space will not merely mitigate the risk of substantial DPDP penalties; they will accrue a competitive advantage in a tax ecosystem increasingly defined by trust, transparency, and regulatory accountability.

In an era marked by faceless assessments, AI-driven risk profiling, and data-intensive enforcement, the principles of data protection are inseparable from professional competence. The road to 2027 challenges professionals to rethink their role fundamentally: those who embrace the responsibilities of data trusteeship will define the future of tax practice, setting the standard for ethical, secure, and digitally resilient advisory services in India’s increasingly automated fiscal landscape.

  Mr. M. G. Kodandaram, IRS.
Advocate and Consultant

[i] https://www.meity.gov.in/static/uploads/2024/06/2bf1f0e9f04e6fb4f8fef35e82c42aa5.pdf
[ii] https://www.meity.gov.in/static/uploads/2025/11/53450e6e5dc0bfa85ebd78686cadad39.pdf